Managing shared resources with groups and permissions

Anton Kovalsky
  • Updated

Learn how to use permissions (roles) and managed groups to control how much - and with whom - you share in Terra. Note that Terra workspace permissions determine who access data and run analysis tools as well as who can incur GCP costs for an analysis. All workspace costs are billed through the Terra Billing project you assign to  the workspace when you create it.   

Controlling access to workspace data, analysis tools, and billing

You may already be familiar with the idea of using permissions (aka "roles") to control what collaborators can do with shared resources (such as datasets or analysis tools). Typical roles include owner, administrator, and user. Roles and permissions are "granted" by the owner or admin.

In Terra, you can assign roles for each resource (Google Cloud Billing account, Terra Billing project, and workspace) shown in the diagram below. Blue boxes are Google resources and grey are Terra resources. Workspaces include all data stored in the Workspace bucket as well as all workflows and notebooks. Read on for more details about what roles and permissions of each resource allow. 


Workspace permissions/roles

The permissions you have on a workspace (at the bottom of the diagram) determine if you can analyze, access, and share data, tools, and results (including job history).

Before you share with someone who doesn't have access to the workflows Users with access to a workspace get access to job history and the workflow - even if the workflow isn't public or shared. Best practices: If you don’t want someone seeing your work, don’t share your workspace with them.


When you share a workspace, you grant each collaborator a role, or permission level, in the share screen (screenshot at left).

- Reader
- Writer
- Owner

- Can share
- Can compute

Workspace creators are owners, by default When you create a workspace, Terra automatically makes you the "owner". Owners control who can share the workspace, access data and accrue costs (run workflows or interactive analyses) by assigning roles (permission) to collaborators. 

Workspace (not billing) permissions determine who can incur GCP costs Workspace roles that allow users to incur costs include "Writer" and "Owner" and anyone with "Can-compute" permission. 

Roles that enable users to accrue costs are noted in red

May add/remove users (grant access), lock workspace, etc.
(can incur storage, compute and query costs)

May write to/add tables, workflow configs, etc. 
(can incur storage costs by adding data to the workspace bucket)

May read tables, method configs, etc. 

Able to launch workflows and interactive analyses (notebooks). 
(can run a workflow or start a Cloud Environment)

Able to grant others write access. 
(can enable others to incurs costs - also, see Writer, above)

Able to grant others read access. 

  Owner Writer Reader Can
Can edit workspace
documentation, data tables


 X  depends 
Can access data in
the workspace bucket


Can give others access


depends  -- depends

Can run workflows and
interactive analyses



Can store data



Billing permissions/roles

Roles on a Cloud Billing account or Terra Billing project determine who can create billing projects and workspaces (respectively). Google Cloud Billing account owners and admins can also access workflow spend reporting in Terra, detailed cost breakdowns in GCP and set budget alerts (in GCP console). Billing account viewers can see detailed cost breakdowns in GCP console. 

Billing project roles don't directly affect who can work in a workspace Billing project roles determine whether you can create resources like projects or workspaces. Note that the creator is the initial owner, by default (but this can be modified). Once someone creates a workspace using a Terra Billing  project, they will be able to accrue costs (charged to that Terra Billing project)

Workspace permissions identify who can incur cost in a workspace. Workspace permissions can be very granular. Workspace owners can grant roles including "can-compute" or "can share" as well as the traditional "Owner," "Reader," and "Writer" roles. Note that a workspace creator is the owner by default. 

Google Cloud Billing account and Terra Billing project roles

Can see and manage all billing aspects, and add additional users to the billing.

Can view billing account information (on GCP console) 

Can create Terra Billing projects (Cloud Billing account user)or clone/create workspaces (Terra Billing project user). 


Access cost breakdown

Create Billing projects


Store and
analyze data

Cloud Billing account admin, owner, user

(in GCP console)

(in Terra UI)

(in Terra UI)

Depends on
workspace role

Terra Billing project owner or user



Depends on
workspace role

Example cases (some unintuitive billing permission scenarios)

  • A Billing project user won't have access to a workspace created by a collaborator under the same Billing project without the right workspace permission. The workspace owner would need to share the workspace and give them permission. 

  • Removing collaborators from a Google Cloud Billing account means they cannot create Terra Billing projects. It does not impact their ability to accrue charges in a workspace where they already have "can-compute" permission.

  • Removing collaborators from a Terra Billing project means they cannot create workspaces. It does not impact their ability to accrue charges in a workspace where they already have "can-compute" permission.

Managed groups - Enabling many users to access the same resources

A collaborative team may have many team members, numerous workspaces and even separate billing projects. To streamline resource management, especially since teams often change, owners can assign permissions (roles) to a managed group as well as to an individual. A managed group could include everyone in a research team, for example, who might need access to the same workspace or billing project.


Best practices for managing changing teams with groups

Groups are especially useful when team members change. Owners can simply adjust the group membership in the Groups page of Terra. This automatically updates the users for every resource shared with the group. This way, owners don't have to update every individual workspace, billing project etc. 


Roles for managed groups

Any individual in the group. When any form of access is granted to a group, the members include all who have that access.

May add or remove members or other admins to or from the group. Admins are also members of the group.

Users who are allowed to send notifications to the admins of a group. When a group is created, this access policy is set to public - meaning all users are able to request access to a group.

Group roles versus resource permissions Permissions for managed groups are not the same as permissions for other resources. If a group is given access to a workspace, the workspace owner controls the role of the group with respect to the workspace (i.e. reader or writer), but the group's owner controls the
role of the user in the group.

For example, if a group has the role of writer (not owner) in a workspace, even group
admins will only have writer access. The admins would need to be given writer access individually.

Create your team Terra group in four steps

1. Start at the Main Menu (from the top left of any page in Terra).

2. Go to your Groups page (Main menu > Groups).

3. In the Create a New Group card, click on the blue "+" icon.

4. Enter your human-friendly team group name and click the Create Group button.

You can share resources with the group just like with an individual. 

Note that the group admin can change who is in the group at any time in Terra. To add more people to the group, click on the group name and click + Add User. 

Permissions and groups and access to resources and billing - a lab scenario

Follow the story diagram below to see how permissions, groups and billing might affect access to resources in a cartoon lab scenario.

  • 1. The head of a research laboratory (User #1) creates a billing project - they are the "Owner" of the billing project

    2. User #1 assigns the role of “workspace creator” to their post-doctoral fellows (User #2) , charging them with the task of creating a fresh workspace to be shared with potential collaborators. The workspace will include shared data resources uploaded to the workspace Google bucket.

    3. The post doc creates the workspace (they are automatically the Owner of the workspace), adds some content, and then invites another coworker (User #3) to help edit the content - giving them “writer can-compute” permission in the workspace.

    4. User #3 is can now edit and run code in the workspace, but cannot give other new users access. Can you guess what role they have with respect to the workspace resource?

    5. In the meantime, a researcher from an unrelated group (User #4) - who wants to introduce a team of students to Terra - creates a managed group (they’re the "Owner" of the group).


    6. In order for the students (User #5, User #6) to access the workspace, User #2 (workspace owner) must give the group created by User #4 reader permission for that workspace. All the group's members, including the group's owner, will have "read" permissions on the workspace.

    7. The the group (users #4, 5 and 6) now has “Reader” permission.


Was this article helpful?

2 out of 4 found this helpful

Have more questions? Submit a request



Please sign in to leave a comment.